Meniu
RO

Malaysia’s DNS censorship policy is a global threat to Internet freedom

The Malaysian Communications and Multimedia Commission (MCMC) has made quite a stir earlier this month when it ordered internet service providers (ISPs) in the country to redirect DNS queries that are sent to alternative DNS providers back to their own servers.

The MCMC said at the time that the move was aimed at safeguarding the public from “harmful content,” namely the websites “related to online gambling, pornography, copyright infringement, scams, and other violations of Malaysian law.”

Before we go any further, let’s rewind a little and remind ourselves what DNS is and what its role is in the infrastructure of the web.

DNS stands for Domain Name System, and it essentially acts as the dictionary of the internet. When you type a web address into your browser, such as www.example.com, your computer needs to translate that human-readable address into an IP address, which is a numerical label that identifies a specific server on the internet. This translation is performed by a DNS resolver. This resolver is usually operated by your ISP or a third-party DNS service you have configured on your device.

In the context of the Malaysia watchdog’s order for ISPs to redirect DNS queries, this means that if users try to use alternative DNS providers (like Google DNS, Cloudflare DNS, or AdGuard DNS), their queries will be intercepted and redirected to the ISP’s own DNS servers. That is all ostensibly for the purpose of protecting them from “harmful” websites.

How easy is it for ISP to intercept and redirect traffic

From a technical standpoint, such a feat is possible because ISPs have control over the DNS traffic that passes through their networks. However, an important distinction should be made here. If you use an unencrypted, plaintext DNS server that uses either IPv4 or IPv6 protocols to return IP addresses, then your Internet provider can see what websites you’re visiting. That means your DNS queries and responses can be read, intercepted and potentially modified by anyone who has access to the network traffic, first and foremost, your ISP. Historically, the DNS traffic has been unencrypted, so this is the case for most users.

However, it will be much more challenging for ISPs to do the same with the user requests sent over encrypted DNS protocols. Encrypted DNS protocols, while not yet mainstream, are gaining traction as they address the privacy issues inherent in unencrypted DNS. Several secure protocols are used to transmit these encrypted requests. The most widely adopted are DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). There is also a new cutting-edge protocol — DNS-over-QUIC (DoQ) that is superior to those two in terms of speed and reliability. It is still in the early stages of adoption: AdGuard DNS was the first public resolver to support it.

While using an encrypted DNS server protects your web history from becoming a bedtime read for your ISP, it can still deduce that you’re using an alternative DNS server. This is due to a process known as “bootstrap.” When your device first tries to use an encrypted DNS server, it must first resolve the IP address of that server through traditional, unencrypted DNS. This initial step, known as bootstrap, involves sending a standard, unencrypted DNS query to your ISP’s DNS server to obtain the IP address of the encrypted DNS server. This gives your ISP a hint that you are likely using a non-ISP DNS server.

However, this process is not clear-cut, and is likely to produce a lot of false positives. So in terms of implementation, we are not sure if the ISPs would go beyond just redirecting traffic. A lot will depend on the scope of the order and the responsibilities of an ISP under it. At first glance, it seems that the only way for the ISPs to make sure that the users with encrypted DNS won’t resort to alternative DNS providers would be to cut them off from the Internet, and this solution does sound extreme.

Bottom line: if you use an encrypted DNS you’ll have more chances to shield yourself from the forced rerouting of your DNS traffic.

The order enforcement is delayed: potential issues

Several days after the MCMC issued the order, it put its enforcement on ice. Malaysian Deputy Communications Minister Teo Nie Ching announced on September 9 that the authorities should have first consulted with industry leaders before moving forward with the order. She mentioned that this consultation process will now take place, without setting a specific timeline. “We want MCMC to conduct proper, comprehensive engagement. If they need one month, let’s do it. If they need three months, let’s do it,” she said.

The Malaysian government’s reversal on the issue follows the backlash the MCMC received after forcing ISPs to do its bidding. There were reports that people using public DNS resolvers operated by Google and Cloudflare were having issues with accessing the Internet. There have also been complaints from websites claiming to host legitimate content that have been rendered inaccessible as a result of being caught in the crosshairs. The MCMC advised the owners of those websites to contact their ISP, and if this does not work, the MCMC directly — but this apparently was not enough, since the order’s enforcement is now suspended indefinitely.

There are several scenarios as to what could have gone wrong. But first we need to take a quick detour to address something important. For starters, we do not believe that such orders have a place in today’s digital interconnected world. The spirit of that order is at odds with the idea of the free Web, and not only that — it encroaches on our basic right to choose the service that suits our needs the best way.

While the intention might be to protect users from harmful content, giving the government that much control is risky and opens the door to potential abuse. It’s our firm belief that it’s up to the individual user to decide which content they want to consume and which content they want to block. For instance, free public DNS services like AdGuard DNS offer non-filtering, ad-blocking, and family protection modes to help users manage their online experience. The user should have the agency, and not the service provider.

As to what could have gone wrong with the enforcement apart from the popular discontent, one of the possibilities is that the DNS servers approved by the government were instantly overloaded by the requests redirected from the blacklisted DNS servers. Some could have been affected by the issue of false positives when seemingly legitimate sites would not open.

What’s next?

The Malaysian authorities might have sent the decision for review, but they are not back to the drawing board. The idea is still very much on the table, and there is a good chance that it will be implemented. If not next week, then sometime this year.

The MCMC also said that it would not ban Virtual Private Networks as part of the order enforcement. The encryption provided by a VPN ensures that the ISP cannot see the user’s DNS queries or any other data. The ISP can detect when a user is connected to a VPN and identify the VPN server’s IP address, but it cannot access or alter the content of the traffic, including DNS queries made through the VPN. These DNS queries will be handled by the VPN’s own DNS servers.

At first glance, the decision not to block VPN services seems odd, as using a VPN would likely undermine the effectiveness of the order. One possible explanation is that the authorities may not expect many people to go to the trouble of using VPNs to bypass the restrictions.

By not targeting VPNs, the Malaysian government will be creating a loophole for accessing blocked content. However, the order is still concerning for user privacy and security. It could give ISPs and the government unfettered access to the list of domain names (like google.com or dailymail.com or pornhub.com) that the user has visited. Plus, if encrypted DNS users have their internet access cut off, it would undermine their user experience (to say the least), their security, and will set back online security standards in general.

In addition to these concerns, such policies could give pointers to other countries, especially those with little regard for democratic freedoms, setting a potentially dangerous precedent. The community must unite against these threats to the free web and make its disapproval clear. It might be Malaysia now, but your country could be next.

Ți-a plăcut această postare?